Following an independent IT forensic investigation, Oxfam Australia announced today that it has found that supporters’ information on one of its databases was unlawfully accessed by an external party on 20 January 2021.
The database includes information about supporters who may have signed a petition, taken part in a campaign or made donations or purchases through our former shops.
While the investigation found that no passwords were compromised, the database unlawfully accessed by the external party for the majority of supporters included names, addresses, dates of birth, emails, phone numbers, gender and in some cases, donation history. For a limited group of supporters, the database contained additional information, and Oxfam is contacting these supporters directly to inform them of the specific types of information relevant to them.
Oxfam Australia alerted its supporters of the potential risk on 4 February 2021 and has now begun notifying all supporters about steps that they can take to protect their information.
Oxfam Australia has notified and is working with industry regulators, including the Office of the Australian Information Commissioner and Australian Cyber Security Centre.
Chief Executive Lyn Morgain said that Oxfam Australia immediately launched the investigation and engaged industry-leading forensic IT experts to assist after being alerted on 27 January 2021 to a suspected data incident.
“Throughout the course of the investigation, we have communicated quickly and openly with our supporters, while also complying with regulatory requirements,” Ms Morgain said. “We contacted all our supporters early last month to alert them to a suspected incident, which has now been confirmed.”
Given the nature of the information accessed, there may be risks relating to scam communications via unsolicited emails, phone calls or text messages. We recommend people remain vigilant and refrain from actioning unsolicited requests to provide information, including actioning links and opening attachments. Scammers can seem quite believable and impersonate government, police and business, including making their telephone numbers and email addresses look legitimate. If in doubt, people are encouraged to make their own enquiries via official and publicly reported communication channels.
Ms Morgain assured Oxfam Australia would continue to work with relevant authorities and treat the incident with the utmost seriousness on behalf of its supporters.
“The privacy and protection of our supporters has been our paramount consideration during this process, which has involved a thorough and complex investigation,” Ms Morgain said
“Oxfam supporters are at the heart of our organisation and their confidence is critical to our ongoing work in tackling the inequality that causes poverty around the world.
“We sincerely regret this incident has occurred.”
Supporters wanting to seek or provide more information on this matter can contact 1800 088 110.
For more information, please contact Amanda Banks on 0411 449 653 or amanda@oxfam.org.au
What has happened?
Oxfam Australia was alerted to a suspected data incident on Wednesday 27 January 2021. Oxfam immediately launched an investigation and engaged IT forensic experts to assist in identifying whether data may have been accessed and any impact on our supporters. Oxfam Australia has notified and is working with industry regulators, including the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC).
The independent investigation has found that supporters’ information on one of its databases was unlawfully accessed by an external party on 20 January 2021.
Oxfam Australia alerted its supporters of the potential risk on 4 February 2021. Now that the investigation has enabled Oxfam Australia to identify the extent of the unlawful access, we have begun notifying all supporters about steps that they can take to protect their information.
How many people have been affected? How do I know if I have been impacted?
Throughout our investigation, the privacy and protection of our supporters has been our top priority. In the interests of ensuring the ongoing security of our database and our supporters’ privacy and protection and to reduce the risk of attempts by scammers to target Oxfam supporters, we are not releasing details of the number of people who may have been impacted.
As we have communicated to our supporters, while the investigation found that no passwords were compromised, the database unlawfully accessed by the external party for the majority of supporters included names, addresses, dates of birth, emails, phone numbers, gender and in some cases, donation history. For a limited group of supporters, the database contained additional information, and Oxfam is contacting these supporters directly to inform them of the specific types of information relevant to them.
When was the data potentially accessed?
Oxfam Australia was alerted to the incident on Wednesday 27 January 2021, and on 23 February 2021, Oxfam’s IT forensic analysis was able to conclude that unauthorised access to the data took place on Wednesday 20 January 2021.
What information has been accessed?
While the investigation found that no passwords were compromised, the database unlawfully accessed by the external party for the majority of supporters included names, addresses, dates of birth, emails, phone numbers, gender and in some cases, donation history. For a limited group of supporters, the database contained additional information, and Oxfam is contacting these supporters directly to inform them of the specific types of information relevant to them.
What should I do?
Given the nature of the information accessed, there may be risks relating to scam communications via unsolicited emails, phone calls or text messages. We recommend people remain vigilant and refrain from responding to unsolicited requests to provide information, including clicking on links and opening attachments. Scammers can seem quite believable and impersonate government, police and businesses, including making their telephone numbers and email addresses look legitimate. If in doubt, people are encouraged to make their own enquiries via official and publicly reported communication channels.
Have my credit card/bank details been accessed – should I cancel my card?
There was a small group of supporters who may have had their bank name, account number and BSB accessed, or part of their credit and debit card details accessed. We are contacting this group of supporters to provide advice on the particular steps that they can take to protect their information and avoid scams.
The processing of payments and storage of financial data for Oxfam Australia’s regular donors is undertaken via a payment system that is provided by our partner financial institutions and complies with Payment Card Industry (PCI) Data Security Standards. PCI Data Security Standards set the operational and technical requirements for organisations accepting or processing payment transactions. More information can be found here.
We encourage everyone to practice normal cyber security awareness and be careful when responding to unsolicited communications, including phone calls, SMS messages and emails, particularly when they request personal and account information or that you click on a link or any attachments. You can find more advice on how to avoid scams generally at www.scamwatch.com.au. Oxfam Australia will not contact you while we are investigating this data incident to ask for personal information, so please report any suspicious behaviour to us directly by contacting our team on 1800 088 110.
Has my password been compromised? Should I change my passwords?
The IT forensic investigation found there is no evidence that passwords have been compromised. Based on that finding, Oxfam Australia will not be asking supporters to change their password. We encourage everyone to practice normal cyber security awareness, which may include, regular updating of passwords.
Should I take any steps to protect the information currently held in my Oxfam account?
While the investigation found that no passwords were compromised, we encourage everyone to practice normal cyber security awareness and be careful when responding to unsolicited communications, including phone calls, SMS messages and emails, particularly when they request personal and account information or that you click on a link or any attachments.
I have been contacted by a data breach service telling me my personal information has been breached, why haven’t I heard from Oxfam Australia about this?
Oxfam Australia first contacted supporters in early February after being alerted to the suspected data incident. The IT forensic investigation which commenced in late January has provided further information about the data incident, and we have been contacting all our supporters from Monday 1 March 2021 to provide information and advice that is relevant to their individual situation.
We have many supporters and are working as quickly as possible to contact all of them, but the process does take time. If you have not received an email from us, please check your email account’s spam folder as a precaution.
Also, some supporters have requested that we do not contact them, and we are respecting their request.
Why is the alert I received from the data breach service different to the information I have received from Oxfam Australia?
Oxfam Australia engaged market leading IT forensics experts to conduct a thorough and complex investigation, which gave us precise information about the data incident.
Not all supporters have been impacted in the same way by the data incident, which is why Oxfam Australia has tailored its communications for every one of our supporters based on information and advice that is relevant to their situation.
Notifications or alerts from external data breach services may be general in nature and include advice or information that is not relevant to the specific impact on an individual.
I’ve had a scam call/s or unsolicited emails etc, is this linked to the Oxfam Australia incident?
Australians are subjected to scam calls on a frequent basis using an array of data available from our social media accounts and many other places. www.scamwatch.gov.au publishes information on its website about the most current scams impacting the community. If you believe that scam activity you have experienced relates to this event, please contact our supporter response team on 1800 088 110.
Why did Oxfam have my details in the first place?
Oxfam has records of people who may have signed a petition or taken part in a campaign, or who have made donations or purchased through our former shops. The types of personal information that Oxfam collects, and how we collect, handle and use that information, is documented within our Privacy Policy.
Will Oxfam remove my details from its database if I request this?
We can remove your contact details from our marketing database and ensure that you no longer receive marketing materials from us. We can also remove your personally identifiable information from other systems, where we are not required to retain that information in respect of our regulatory obligations or where the information is no longer required for the purpose for which it was collected.
How does Oxfam Australia know this will not happen again?
Oxfam Australia takes the privacy and security of our supporters’ data extremely seriously and we have taken important steps to help prevent any similar incidents happening again. While we had robust security systems in place at the time, the cybercrime environment is becoming increasingly sophisticated. In response to this, we are constantly reviewing and strengthening our security systems to protect your information.
Have authorities been notified?
The matter has been reported to relevant authorities, including the Australian Cyber Security Centre (ACSC) and Office of the Australian Information Commissioner (OAIC).
Comments are closed.